Peter Milesson
2023-Apr-12 19:42 UTC
[Samba] error trying to authenticate from Linux to AD
On 12.04.2023 21:26, Gary Dale via samba wrote:> I'm following the Debian wiki at > https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory since > it seems to be the only one I can find and since I'm running > Debian/Bookworm on an AMD64 system. I'm in the section "Configure > Kerberos" which is near the start. > > My /etc/krb5.con file (with most comments removed) is: > >> # cat /etc/krb5.conf >> [logging] >> ???????Default = FILE:/var/log/krb5.log >> >> [libdefaults] >> ???????default_realm = HOME.RAHIM-DALE.ORG >> ???????ticket_lifetime = 24000 >> ???????clock-skew = 300 >> # The following libdefaults parameters are only for Heimdal Kerberos. >> ???????fcc-mit-ticketflags = true >> ?????? rdns = false >> [realms] >> ???????HOME.RAHIM-DALE.ORG = { >> ???????????????kdc = dc1.home.rahim-dale.org >> ???????????????admin_server = dc1.home.rahom-dale.org >> ???????} >> >> [domain_realm] >> ???????.rahim-dale.org = HOME.RAHIM-DALE.ORG >> ???????rahim-dale.org = HOME.RAHIM-DALE.ORG >> > I've also tried it wiht Heimdal Kerberos parameters commented out. It > didn't make any difference. I get the same error. Web searches say > this is usually a result of capitalization errors in the .conf file, > but it seems OK to me. > > >> root at transponder:~# kinit Administrator at home.rahim-dale.org >> Password for Administrator at home.rahim-dale.org: >> kinit: KDC reply did not match expectations while getting initial >> credentials >> > The krb5.conf file on the DC is: > >> [libdefaults] >> default_realm = HOME.RAHIM-DALE.ORG >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> [realms] >> HOME.RAHIM-DALE.ORG = { >> default_domain = home.rahim-dale.org >> } >> >> [domain_realm] >> dc1 = HOME.RAHIM-DALE.ORG >> > > Any ideas on what I'm doing wrong?HI Gary, My krb5.conf on the second DC (the one without FSMO roles) has got the entry under [domain_realm] all in upper case, like DC1 = HOME.RAHIM-DALE.ORG. Kerberos seems to be picky about upper case, but it's just an idea. On the member server your krb5.conf should just be: [libdefaults] ???????default_realm = HOME.RAHIM-DALE.ORG ?????? dns_lookup_realm = false ?????? dns_lookup_kdc = true Best regards, Peter
On 2023-04-12 15:42, Peter Milesson via samba wrote:> > > On 12.04.2023 21:26, Gary Dale via samba wrote: >> I'm following the Debian wiki at >> https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory since >> it seems to be the only one I can find and since I'm running >> Debian/Bookworm on an AMD64 system. I'm in the section "Configure >> Kerberos" which is near the start. >> >> My /etc/krb5.con file (with most comments removed) is: >> >>> # cat /etc/krb5.conf >>> [logging] >>> ???????Default = FILE:/var/log/krb5.log >>> >>> [libdefaults] >>> ???????default_realm = HOME.RAHIM-DALE.ORG >>> ???????ticket_lifetime = 24000 >>> ???????clock-skew = 300 >>> # The following libdefaults parameters are only for Heimdal Kerberos. >>> ???????fcc-mit-ticketflags = true >>> ?????? rdns = false >>> [realms] >>> ???????HOME.RAHIM-DALE.ORG = { >>> ???????????????kdc = dc1.home.rahim-dale.org >>> ???????????????admin_server = dc1.home.rahom-dale.org >>> ???????} >>> >>> [domain_realm] >>> ???????.rahim-dale.org = HOME.RAHIM-DALE.ORG >>> ???????rahim-dale.org = HOME.RAHIM-DALE.ORG >>> >> I've also tried it wiht Heimdal Kerberos parameters commented out. It >> didn't make any difference. I get the same error. Web searches say >> this is usually a result of capitalization errors in the .conf file, >> but it seems OK to me. >> >> >>> root at transponder:~# kinit Administrator at home.rahim-dale.org >>> Password for Administrator at home.rahim-dale.org: >>> kinit: KDC reply did not match expectations while getting initial >>> credentials >>> >> The krb5.conf file on the DC is: >> >>> [libdefaults] >>> default_realm = HOME.RAHIM-DALE.ORG >>> dns_lookup_realm = false >>> dns_lookup_kdc = true >>> >>> [realms] >>> HOME.RAHIM-DALE.ORG = { >>> default_domain = home.rahim-dale.org >>> } >>> >>> [domain_realm] >>> dc1 = HOME.RAHIM-DALE.ORG >>> >> >> Any ideas on what I'm doing wrong? > HI Gary, > > My krb5.conf on the second DC (the one without FSMO roles) has got the > entry under [domain_realm] all in upper case, like DC1 = > HOME.RAHIM-DALE.ORG. Kerberos seems to be picky about upper case, but > it's just an idea. > > On the member server your krb5.conf should just be: > > [libdefaults] > ???????default_realm = HOME.RAHIM-DALE.ORG > ?????? dns_lookup_realm = false > ?????? dns_lookup_kdc = true > > Best regards, > > Peter >I've tried it both ways (dc1 and DC1) and get the same result. And yes, I did restart the krb5-admin-server in between.
On 2023-04-12 15:42, Peter Milesson via samba wrote:> > > On 12.04.2023 21:26, Gary Dale via samba wrote: >> I'm following the Debian wiki at >> https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory since >> it seems to be the only one I can find and since I'm running >> Debian/Bookworm on an AMD64 system. I'm in the section "Configure >> Kerberos" which is near the start. >> >> My /etc/krb5.con file (with most comments removed) is: >> >>> # cat /etc/krb5.conf >>> [logging] >>> ???????Default = FILE:/var/log/krb5.log >>> >>> [libdefaults] >>> ???????default_realm = HOME.RAHIM-DALE.ORG >>> ???????ticket_lifetime = 24000 >>> ???????clock-skew = 300 >>> # The following libdefaults parameters are only for Heimdal Kerberos. >>> ???????fcc-mit-ticketflags = true >>> ?????? rdns = false >>> [realms] >>> ???????HOME.RAHIM-DALE.ORG = { >>> ???????????????kdc = dc1.home.rahim-dale.org >>> ???????????????admin_server = dc1.home.rahom-dale.org >>> ???????} >>> >>> [domain_realm] >>> ???????.rahim-dale.org = HOME.RAHIM-DALE.ORG >>> ???????rahim-dale.org = HOME.RAHIM-DALE.ORG >>> >> I've also tried it wiht Heimdal Kerberos parameters commented out. It >> didn't make any difference. I get the same error. Web searches say >> this is usually a result of capitalization errors in the .conf file, >> but it seems OK to me. >> >> >>> root at transponder:~# kinit Administrator at home.rahim-dale.org >>> Password for Administrator at home.rahim-dale.org: >>> kinit: KDC reply did not match expectations while getting initial >>> credentials >>> >> The krb5.conf file on the DC is: >> >>> [libdefaults] >>> default_realm = HOME.RAHIM-DALE.ORG >>> dns_lookup_realm = false >>> dns_lookup_kdc = true >>> >>> [realms] >>> HOME.RAHIM-DALE.ORG = { >>> default_domain = home.rahim-dale.org >>> } >>> >>> [domain_realm] >>> dc1 = HOME.RAHIM-DALE.ORG >>> >> >> Any ideas on what I'm doing wrong? > HI Gary, > > My krb5.conf on the second DC (the one without FSMO roles) has got the > entry under [domain_realm] all in upper case, like DC1 = > HOME.RAHIM-DALE.ORG. Kerberos seems to be picky about upper case, but > it's just an idea. > > On the member server your krb5.conf should just be: > > [libdefaults] > ???????default_realm = HOME.RAHIM-DALE.ORG > ?????? dns_lookup_realm = false > ?????? dns_lookup_kdc = true > > Best regards, > > Peter >Trying things on two Linux boxes now: the member server and my workstation. Getting the same results on both. I tried your suggested shorter krb5.conf file but it didn't change anything.